There’s been a lot of talk in the media recently about governments requiring technology companies to provide “keys” to any encryption they use. This is a really bad idea. Here’s why:

To start, let’s all imagine we can agree that:

  • Bad guys exist
  • Bad guys use encryption to hide what they’re doing
  • It’s law enforcement’s (we’ll call them The Government) job to catch and prosecute the bad guys
  • We want law enforcement to catch and prosecute the bad guys

[Those assumptions don’t hold for everyone, but I think they’re a reasonable starting point for most of us, so that’s what I’ll use.]

So, The Government says, “Encryption is making it harder for us to do our job, so we must stop people using encryption.”

And people respond, “Hang on… we need encryption so we can safely buy things on the internet without people stealing our credit card details, and, well, just for our own privacy.”

Then The Government responds, “Ok, you can have some encryption for banking and so on, but we need to be able to decrypt your the Bad Guys’ communications, otherwise we’ll all be killed.”

This sounds reasonable to some [a lot?] of people because, even if you realise that “we’ll all be killed” is over-the-top hyperbole, we still want The Government to catch and prosecute the bad guys.

But let’s think this through.

I’ll write this next bit with the US government playing the role of The Government (even though I’m not American, nor living in the US), mainly because it’s easy for people in other countries to relate to, and the US’s decision will affect a lot more people throughout the world than a similar decision by, say, Australia.

In this scenario, the US government are The Good Guys, and their motives are pure. [Use your imagination, if you have to!] They’ve passed a law compelling US tech companies to provide a way to decrypt their users’ private information.

Some Bad Guys plan to do some Bad Stuff, and the Good Guys find out and need to get access to the Bad Guys’ emails so they can find them and prosecute them. So the Good Guys go to a tech company and say, “We need you to provide the unencrypted version of these people’s information because they are bad people. Here, we’ve got a warrant from a court.” [Yes, I know that last part is really stretching your imagination, but bear with me. I’m trying to show that even when the Good Guys do only good, handing over the keys is bad.]

And, because the tech company has a way to decrypt any of their customers’ information, they comply. And the Bad Guys get prosecuted and everyone lives happily ever after.

Yay! The system works! USA, USA!

So far, so good.

But then another government—one of the USA’s major allies, let’s say the UK—comes to the tech company and they say, “We found out about some Bad Guys too. Our friend and ally, the USA, told us that you are able to decrypt people’s information. We need you to provide the unencrypted information because they are bad people. Here, we’ve got a warrant from a court.”

What now? Well, they’re an ally, and a “nice country”; they’re one of the Good Guys too, so why not comply. And more Bad Guys are prosecuted and everyone lives happily ever after.

And then another government—one of the countries the USA is not so close to, let’s say China—comes to the tech company and they say, “We found out about some Bad Guys too. We’ve read that you are able to decrypt people’s information. We need you to provide the unencrypted contents of these people’s information because they are bad people. You don’t really have a choice, because it’s the law, but we know you’d like to help us voluntarily because you do a lot of business here.”

Hmmm, this is starting to get a bit… awkward for the tech company now. Firstly, they know that their own government, the USA, is not going to be happy with China getting access to people’s information. And the Chinese definition of “Bad Guys” aren’t necessarily bad guys in America’s eyes. Plus, in this scenario, at least, they’re not using a court warrant to get access to the people’s information; they’re using a combination of legislation and coercion. But what can the tech company do? They’re a legitimate government, asking for the exact same thing that other governments have asked for, and been given. They don’t really have a choice, so they comply. And more “Bad Guys” are arrested, and they are put on trial and then shot.

Yay?

And then another government—this one is formally at war with the US, North Korea [there’s been an armistice between the two countries since 1953, but they’re officially still at war]—comes and says, “We are the legal government in North Korea, and some people have been using your service to do bad things to our peace-loving, beautiful country. We must stop these Bad People, and we need you to decrypt their information.”

Now, the tech company doesn’t want to help and, fortunately, this time they’ve got a really good excuse: “We’re sorry, but our country is at war with yours, and we’re prohibited from providing you with the keys you’ve asked for.” So that’s the end of that!

Ah, no.

For brevity, I’ve not mentioned all the other countries repeatedly asking for (demanding?) decryption keys from the tech company. Everyone knows that it’s possible to get the communications decrypted, and the keys to do so have been passed on to lots of different governments and levels of government, always for good, legitimate reasons. Now the secrets aren’t so secret. So, although North Korea can’t get the keys directly from the tech company, they can probably still get them. And they do. And the “Bad Guys” are rounded up, and are never seen again.

Nobody cheers this time.

There are around 200 countries in the world; all can claim to be a legitimate government and can legally request and/or compel companies that do business in their jurisdiction to hand over encryption keys to help them catch “the Bad Guys.” This is the thing to remember: there are more countries in the world that are not your country, and there are more people in the world who are not your citizens. And not all these countries get on with your country and, even among allies, there will be differences of opinion about who “the Bad Guys” are.

If there are decryption keys, or backdoors, there’s a near certainty that they will be used by a government in a manner that you don’t agree with. At some stage, someone you think of as a “Good Guy” will be called a “Bad Guy” by a government, and they will have the power to compel/coerce/threaten a tech company to hand over keys and/or decrypted contents of communications. It may not be by your government—at least, not this time—but there’s 200 other governments out there too.

In all this discussion, we’ve assumed that the countries are asking for specific keys for specific individuals. What is more likely is that they’ll just say, “Hand over all the keys, and any new ones you create.” And we haven’t even mentioned quasi-states like ISIS, nor criminal organisations that can afford to buy/bribe/steal encryption keys. Nor hackers breaking into the increasing number of organisations that have keys for this tech company’s customers’ information. Nor have we mentioned people who have legitimate access to the keys using them for personal purposes. Almost nobody will try to brute-force break the encryption; it’s so much easier and cheaper to buy/bribe/steal them.

The only way to prevent this is for the tech companies to not have keys they can hand over, and no way to decrypt people’s communications. This is what some companies have already implemented. It’s call end-to-end encryption and it’s used by Apple in FaceTime and iMessage, WhatsApp, Snapchat, and Line. [There are probably others too.]

But it’s not used by Gmail (although Google is looking at implementing it) nor Skype nor Facebook Messenger.

But what about the Bad Guys? They’ll literally get away with murder!

Firstly, there aren’t that many Bad Guys. But there are billions of us Good Guys.

Secondly, law enforcement has for millennia tracked down and prosecuted Bad Guys without having access to every conversation that the Bad Guys had. They can continue to do so. They won’t literally get away with murder, (at least, not at a rate greater than they already do).

I don’t think anyone would class me as a Bad Guy; I’m not a criminal and don’t have anything to hide. But I don’t want someone from The Government reading my emails or texts; I don’t want some criminal in another country accessing my bank accounts; I don’t want some creep drooling over pictures of my 2-year-old niece that my sister sends me. All of that needs to be protected by simple end-to-end encryption, without backdoors.

If you have the keys to decrypt private information, you take away the privacy. The keys will be used by people they were never intended for, and they’ll be used in ways you don’t like.

Governments requiring technology companies to provide keys to any encryption they use is a Really Bad Idea™.

Advertisements